The Future of Audit Oversight

In creating the Public Company Accounting Oversight Board (PCAOB or Board), Congress fundamentally changed the system of oversight for the auditing profession.[1] The profession’s authority to write its own auditing, quality control, ethics, and independence standards and to discipline itself was removed, replaced by an independent regulator required to act in the interests of investors and the public. [2]   

The PCAOB’s implementation of the investor protection mission, however, is not complete. More needs to be done to integrate this mission into the standard-setting, inspection, and enforcement processes. Moreover, this need is taking place during a rapidly changing and challenging environment – the unprecedented economic disruption in the global economy from the pandemic, the inability of the audit process to uncover what appear to be readily apparent financial frauds, the increased reliance by investors on information outside of the financial statements, and the material impact of climate change and other environmental, social and governance (ESG) matters on the financial statements.

In my concluding remarks as a Board member, I want to discuss some ways that the PCAOB can further fulfill the investor protection mission mandated by Congress. None of these comments should be viewed as criticisms of the staff. They are areas that deserve greater consideration by the Board. 

I. The Future of Auditing, Attestation, Quality Control, Ethics, and Independence Standards

Stakeholders agree on the need to improve audit quality and the importance of auditor communication with investors and the public but do not always agree on the method of accomplishing these goals.[3] In determining auditing, attestation, quality control, ethics, and independence standards, the PCAOB should more explicitly take into account and implement the views of investors. 

Investors generally favor standards that reflect a blend of principles and objective bright-line factors.[4] Objective factors establish a predictable and consistent floor with overlying principles providing flexibility for discretion and judgment.[5]

Investors and the public also generally favor the use of governance features designed to ensure the integrity of the decision-making process.[6] Audit firms are for profit enterprises; audit quality comes at a cost. Confidence in the decision-making process requires that these potentially conflicting goals be acknowledged and structural safeguards be put in place to keep them separate.[7]

The PCAOB auditing standards do not entirely reflect these expectations. Mostly written during the era of self-regulation, investors views were largely absent from the process. In addition, they are out of date.[8] They do not adequately address a business environment dominated by technology and digitalization, the changes arising out of the evolving nature of the audit, and lessons learned from the current health pandemic.

This should change. The PCAOB’s mission requires not only greater interaction with investors when considering revisions to the auditing, attestation, quality control, ethics, and independence standards but also a shift in approach that reflects these views.[9] 

In addition to changes to the standards, the PCAOB should advance the investor protection mission through an increased use of guidance to interpret existing standards.

When Congress gave the PCAOB the authority to write and adopt standards, this included the interpretation of those very standards. The existing suite of standards is filled with vague and undefined terms, often interfering with adequate inspection and enforcement. For example:

  • The PCAOB’s standard regarding an auditor’s consideration of possible illegal acts does not require auditors to communicate to audit committees any such acts uncovered during the audit that are “clearly inconsequential”[10] Guidance could provide greater insight into when an act, while not material, is nonetheless considered consequential under the standard.[11]
  • In considering the risk of fraud in a financial statement audit, audits must include unpredictable procedures.[12] Academic evidence suggests that in fact these so-called unpredictable procedures have become predictable.[13] Guidance could be used to ensure that this does not occur.
  • The standard for considering materiality for purposes of determining the “nature, timing, and extent of audit procedures” requires only that the level be “appropriate in light of the particular circumstances.”[14] Levels that are set too high can result in an inadequate audit. Yet guidance has not been issued that seeks to ensure that materiality is set at appropriate levels.[15]  

The current approach, a holdover from the era of self-regulation, is to allow these terms largely to be interpreted by each firm in their methodology. This results in an “expectations gap,” with a chasm separating what investors and other users expect and what firms believe they are required to do. This “gap” can be narrowed through thoughtful and useful guidance issued by the PCAOB that ensures these terms are construed in a manner thatconsistent with the intent of the standardmeets the expectation of investors and the inspection and enforcement needs of the PCAOB. 

II. PCAOB Inspections

Inspections are mostly designed and performed to assess compliance with applicable standards and requirements.[16] This can, however, be an insufficient measure of audit quality, particularly given the out of date nature of many of the standards. Indeed, the approach raises the concern that audit quality will be equated with a firm’s deficiency rate.  

The interests of investors and the public would be better implemented through an approach to inspections that included as an objective an explicit focus on the quality of financial reporting.[17] Such an objective would entail greater emphasis on audits of issuers with potential departures from GAAP, on the areas of the financial statements deemed important to investors on a qualitative basis, and on the procedures used by audit firms to assess the risk of fraud and the reporting of illegal acts.

A focus on financial disclosure would also allow the inspections process to provide investors and the public with insight into the application of accounting standards by issuers and broker-dealers. The accuracy of estimates and valuations in the financial statements can depend upon the assumptions used by management. Firms may examine these assumptions as part of the audit. The inspections process can generate reports on whether and how particular assumptions such as climate change are used in connection with particular estimates and valuations.

III. PCAOB Enforcement

The enforcement function of the PCAOB is an important one. The Division of Enforcement and Investigations (DEI) often investigates and recommends actions arising from inspection findings, including those involving overseas firms.

Enforcement, however, can be used more directly to benefit investors, shareholders, and the public by helping to ensure the integrity of mandatory disclosure by audit firms required by the PCAOB and used in making investment and voting decisions.

The PCAOB has in place two sets of disclosure requirements applicable to audit firms.  

First, implemented by the prior Board, the PCAOB has adopted standards and rules that require firms to reveal the identity of the engagement partner, the other auditors used in an audit,[18] and the length of time the firm has served as the auditor.[19] In addition, audit reports may need to include critical audit matters, those areas of the audit that kept the auditor up at night.[20] The value and importance of this information to investors and the public is clear and will only increase over time. [21]  

Second, the PCAOB has established a central data base that provides the public with basic information about firms that audit public companies and SEC-registered broker-dealers. These reports identify, among other things, the firm’s clients[22] and certain disciplinary proceedings, including those brought by other domestic and foreign regulators.[23] The data base is an important source of information for investors, including customers of broker-dealers, and the public. Had such a data base been in place for broker-dealers before 2010, additional red flags relating to the fraud conducted by Bernie Madoff would have been available.[24]   

The PCAOB infrequently brings actions for violations of these requirements.[25] Moreover, when this occurs, the sanctions do not appear to be sufficient to create the necessary incentives to adequately deter violations.[26] This can be seen in particular with respect to Chinese audit firms. As of January 12, 2021, approximately 37 audit firms from China were registered with the PCAOB.[27] Of those firms, 14 had not filed an annual report for 2020, including four registered for over a decade that never filed the reports.[28]

The Board can encourage an approach to enforcement that gives greater priority to ensuring the completeness, accuracy, and timeliness of these disclosures, whether in the audit report or in filings with the PCAOB and ensuring that firms required to be registered are in fact registered.

Another important step designed to benefit investors and the public in a mission consistent fashion would be the revision of guidelines implemented in 2019 that reduced the instances when enforcement settlements identified the issuer where a deficient audit allegedly occurred.[29] The Board should provide that, at a minimum, any such guidelines explicitly take into account the need for, and benefits of, the information to investors and shareholders.[30]

IV. Audit Relevancy

There is an ongoing global debate over audit relevance and whether audit currently meets the expectations and needs of investors and other capital market participants.

The information environment of companies and investors has changed radically since glossy annual reports were mailed to public company shareholders. The annual audit needs to evolve to address the information environment. Failure to do so will cause the audit to continue to lose value in the eyes of investors and other market participants.

Evolution of the audit needs to address investor expectations with respect to assurance. This includes such topics as the role of the auditor in providing assurance for information outside the financial statements, whether non-GAAP or ESG metrics; the role of firms in evaluating threats to a company’s ability to continue as a going-concern; the role of firms in the detection of fraud (a topic elevated by the collapse of Wirecard in Europe); the identification and communication of potential illegal acts, such as bribes; and the tension between maintaining a high quality audit and succumbing to the commercial interests of an audit firm.

The investor protection mission would be advanced by having the PCAOB serve as a catalyst in this area.[31] The PCAOB is uniquely positioned to understand the interests of investors, the capacity of audit firms, and the impact on the financial disclosure process. This would also allow the PCAOB to lead rather than follow in the global debate on these issues.[32]  

V. The PCAOB Board

The mission to act in the interests of investors and the public requires a Board that actively engages with these stakeholders on a regular and structured basis.

Currently, the full Board rarely meets with investors and their representatives. And while there was, in 2020, a single “roundtable” held with a select group of asset managers,[33] the meeting was neither with the entire Board nor webcast or otherwise made public.[34] Much like interactions with large audit firms, the full Board should meet regularly with, and hear directly from, investors and investor representatives, relying on predetermined agendas that ensure feedback on topics relevant to the decision making process.[35]

The Board should also further the interests of investors and the public through a heightened commitment to transparency and public accountability. As Justice Brandeis famously said, sunlight is the best disinfectant.[36] Strong public accountability helps ensure robust commitment to the investor protection mission.[37] This requires a level of transparency sufficient to permit investors and the public to adequately monitor the activities and decisions of the PCAOB.[38]

[1] The views that I express here are my own and don’t necessarily reflect the views of other board members or the PCAOB staff.

[2] 15 U.S.C. § 7211(a) (The mission of the PCAOB shall be “to protect the interests of investors and further the public interest in the preparation of informative, accurate, and independent audit reports.”).

[3] Stakeholders generally agree on the importance of high quality audits. They differ, however, on the means of accomplishing the goal. See J. Robert Brown, Jr., Board Member, PCAOB, PCAOB 3.0: The Evolving Role of Investor Protection at the PCAOB, 50th World Continuous Auditing & Reporting Symposium, Virtual, at n. 6 (Nov. 6, 2020) (available at https://pcaobus.org/news-events/speeches/speech-detail/pcaob-3.0-the-evolving-role-of-investor-protection-at-the-pcaob) (“While all stakeholders presumably wanted to improve audit quality, investors and the public often had very different ideas about how to accomplish this goal.”).

[4] See J. Robert Brown, Jr., Board Member, PCAOB, Maintaining Investor Trust: Independent Oversight in the System of Quality Control, Massachusetts Public Employee Retirement Administration Commission Virtual Conference (Sept. 17, 2020) (available at  https://pcaobus.org/News/Speech/Pages/Brown-Maintaining-Investor-Trust-Independent-Oversight-System-Quality-Control.aspx

[5] Observation of inventory is a generally accepted auditing procedure. See PCAOB Auditing Standard 2510: Auditing Inventories. This is a rare example of a non-principles based requirement that arose from a corporate fraud in the 1930s. See In the Matter of McKesson & Robbins, Inc, Exchange Act Release No. 2707 (Accounting Series 27) (Section 21(a) Report; Dec. 5, 1940).

[6] See Comment Letters for Docket 046, (available at https://pcaobus.org/about/rules-rulemaking/rulemaking-dockets/docket-046-quality-control/comment-letters). See also Maintaining Investor Trust: Independent Oversight in the System of Quality Control, J. Robert Brown Jr., Board Member, Sep. 17, 2020, Massachusetts Public Employee Retirement Administration Commission (available at https://pcaobus.org/news-events/speeches/speech-detail/maintaining-investor-trust-independent-oversight-in-the-system-of-quality-control).

[7] See Maintaining Investor Trust, supra note 4.

[8] See J. Robert Brown, Jr., Board Member, PCAOB, Statement Regarding the PCAOB's Revised Research and Standard-Setting Agendas: Reducing Credibility, Accountability and Confidence in the Financial Reporting Process (Oct. 13, 2020) (available at https://pcaobus.org/news-events/speeches/speech-detail/statement-regarding-the-pcaob-s-revised-research-and-standard-setting-agendas-reducing-credibility-accountability-and-confidence-in-the-financial-reporting-process) (“The Board adopted, on an ‘interim’ basis, the same standards that were written during the era of self-regulation and sharply criticized in Congressional hearings. An expediency, the decision was accompanied by a commitment to reexamine the standards ‘as soon as possible’. Nonetheless, seventeen years later, despite a very different auditing environment, many of these standards remain in place without material change.”). This is also true with respect to the standards and requirements governing auditor independence. See J. Robert Brown Jr., Board Member, PCAOB, Reducing PCAOB Authority over Auditor Independence, Nov. 19, 2020, PCAOB Open Board Meeting, Virtual (available at  https://pcaobus.org/news-events/speeches/speech-detail/reducing-pcaob-authority-over-auditor-independence) (“The PCAOB adopted the audit profession's standards as a starting point when it opened its doors. Those standards were written in the era of self-regulation without adequate investor input. The failure to modernize the ‘interim’ independence standards and the related ethics rules gives new meaning to the term ‘interim’ as the PCAOB approaches the beginning of the 18th year of these ‘interim’ requirements.”)

[9] Many of the PCAOB auditing standards continue to employ non-gender neutral language. See PCAOB AS 2405.17 (“The auditor should assure himself that the audit committee is adequately informed as soon as practicable and prior to the issuance of the auditor's report with respect to illegal acts that come to the auditor's attention.”); AS 2510.01 (“Observation of inventories is a generally accepted auditing procedure. The independent auditor who issues an opinion when he has not employed them must bear in mind that he has the burden of justifying the opinion expressed.”).

[10] PCAOB AS 2405.17 (“The auditor need not communicate matters that are clearly inconsequential and may reach agreement in advance with the audit committee on the nature of such matters to be communicated.”).   

[11] Proposing and adopting releases sometimes contain additional high level insight. See PCAOB Release 2009-007 (Dec. 17, 2009) (noting that “clearly inconsequential” was “a smaller order of magnitude than materiality” and had to be inconsequential “whether taken individually or in aggregate and whether judged by any criteria of size, nature or circumstances”).

[12] See PCAOB S 2301: The Auditor's Responses to the Risks of Material Misstatement

[13] J. Robert Brown Jr., Board Member, PCAOB, Facilitating Investor Participation at the Standard-Setting Table, Oct. 21, 2019, Public Pension Financial Forum, Salt Lake City, Utah, (available at https://pcaobus.org/news-events/speeches/speech-detail/facilitating-investor-participation-at-the-standard-setting-table_708) (“Specifically, with respect to unpredictability, I would encourage you to bring any insights to the PCAOB. Remember, the PCAOB has the drafting pen and you have a seat at the table. The PCAOB could, if it wanted, look more often at the issue of unpredictability in the inspection process, and the PCAOB could potentially provide guidance on how to better fulfill the requirement. Your comments could very much contribute to these steps.”).

[14] PCAOB AS 2105: Consideration of Materiality in Planning and Performing an Audit

[15] The SEC staff expressed the view that exclusive reliance on certain quantitative benchmarks to assess materiality in preparing financial statements and performing audits of those financial statements is inappropriate and has provided guidance on the qualitative factors that are relevant to a materiality analysis. See SEC Staff Accounting Bulletin No. 99 (Aug. 12, 1999) ( available at https://www.sec.gov/interps/account/sab99.htm).

[16] See Information For Audit Committees About the PCAOB Inspection Process, PCAOB Release No. 2012-003, Aug. 1, 2012 (“PCAOB inspections are designed to identify and address weaknesses and deficiencies related to how a firm conducts audits.”).

[17] Investors have sought this broader objective. See Letter from CFA to PCAOB, PCAOB Release No. 2019-003, Concept Release, Potential Approach to Revisions to PCAOB Quality Control Standards (Mar. 16, 2020) (available at https://pcaobus.org/Rulemaking/Docket046/014_CFA.pdf) (“While it is certainly true, as discussed above, that PCAOB inspection reports suggest that many firms struggle to meet even this low bar, surely we should be setting a higher goal for firm's QC systems. The objective of ISO 9001, in contrast, is to ensure high quality processes, products and services. If the PCAOB isn't willing to set that higher bar, in terms of the objective of the standard, it should stop calling this a quality control system and label it instead as what it is, a basic compliance system.”). See also Mark DeFond & Jieying Zhang, A review of archival auditing research, 58 J. of Accounting and Economics 275, 280 (2014) (“we define higher audit quality as greater assurance of high financial reporting quality.”).

[18] See PCAOB Rule 3211. See also Form AP - Auditor Reporting of Certain Audit Participants (available at, https://pcaobus.org/about/rules-rulemaking/rules/form-ap-instructions).

[19] PCAOB AS 3101: The Auditor's Report on an Audit of Financial Statements When the Auditor Expresses an Unqualified Opinion (available at https://pcaobus.org/oversight/standards/auditing-standards/details/AS3101).

[20] Id.

[21] For a discussion of the benefits of the disclosure of critical audit matters, see J. Robert Brown Jr., Board Member, PCAOB, It’s Not What You Look at that Matters: It’s What You See, Revealing ESG in Critical Audit Matters, Nov. 4, 2020, ICGN’s Global Virtual Summit in Virtual (available at https://pcaobus.org/news-events/speeches/speech-detail/it-s-not-what-you-look-at-that-matters-it-s-what-you-see-revealing-esg-in-critical-audit-matters).

[22] Form 2 – Annual Report Form, General Instructions, PCAOB (available at https://pcaobus.org/Rules/Pages/Form_2.aspx). Among other things, the Form 2 requires disclosure of audits of, and substantial work performed for audits of, all issuers and broker-dealers in the US.

[23] Items 2.4 to 2.11 of Form 3 require the disclosure of certain proceedings by a governmental authority. Part IV, Note to Item 4.1 states that “For the purpose of this Part, administrative or disciplinary proceedings include those of the Commission; any other federal, state, or non-U.S. agency, board, or administrative or licensing authority; and any professional association or body.” Form 3 - Special Reporting Form, PCAOB (available at https://pcaobus.org/Rules/Pages/Form_3.aspx).

[24] See J. Robert Brown Jr., Board Member, PCAOB, A Story that Will Not Tell Itself: The PCAOB’s Role in the Protection of Customers of Broker-Dealers, Oct. 7, 2020, North American Securities Administrators Association (NASAA) in Virtual.

[25] The PCAOB has apparently not brought actions against firms that should have been registered but were not. The SEC, however, has brought such cases. See Foreign Affiliates of KPMG, Deloitte, BDO Charged in Improper Audits, SEC Press Release 2018-39 (2018) (available at https://www.sec.gov/news/press-release/2018-39).

[26] The PCAOB recently brought actions against three registered firms in China for failure to file required reports concerning disciplinary actions imposed $10,000 fines. In two settlements, the sanctions included modest undertakings. See In the Matter of Da Hua CPAs (Special General Partnership), PCAOB Release No. 105-2020-015 (Sept. 29, 2020) (available at https://pcaob-assets.azureedge.net/pcaob-dev/docs/default-source/enforcement/decisions/documents/105-2020-015-da-hua.pdf); In the Matter of Zhonghua Certified Public Accountants LLP, PCAOB Release No. 105-2020-018 (Sept. 29, 2020) (available at https://pcaob-assets.azureedge.net/pcaob-dev/docs/default-source/enforcement/decisions/documents/105-2020-018-zhonghua.pdf). A third settlement did not include undertakings. See In the Matter of Ruihua Certified Public Accountants, PCAOB Release No. 105-2020-017 (Sept. 29, 2020) (https://pcaob-assets.azureedge.net/pcaob-dev/docs/default-source/enforcement/decisions/documents/105-2020-017-ruihua.pdf). Given the seriousness of the offense, the length of time that some disciplinary actions were unreported, and the inability of the PCAOB to inspect in China, these sanctions do not, in my opinion, provide sufficient incentive to ensure greater compliance with PCAOB reporting requirements.

[27] A search performed on Jan 1, 2021, produced 39 results (available at https://pcaobus.org/oversight/registration/registered-firms?firmcountry=China). Two of these firms, however, show that their headquarters are in Hong Kong. Id.

[28] See Registered Firms, a search performed on Jan 14, 2021 produced 4 results (available at https://pcaobus.org/oversight/registration/registered-firms?firmcountry=China&category=No%20Form%202%20filed).

[29] See J. Robert Brown Jr., Board Member, PCAOB, Issuer Disclosure in Settled Enforcement Actions at the PCAOB, Sept. 6, 2019, CFA Institute’s Corporate Disclosure Policy Council, Washington, DC (available at https://pcaobus.org/news-events/speeches/speech-detail/issuer-disclosure-in-settled-enforcement-actions-at-the-pcaob_701).

[30] PCAOB Staff Considerations on Recommending the Identification of Issuers and/or Broker-Dealers in Settled Enforcement Orders,  https://pcaobus.org/oversight/enforcement/staff-considerations-recommending-identification-issuers-broker-dealers-settled-enforcement-orders

[31] See J. Robert Brown Jr., Board Member, PCAOB, Preventing Audit Extinction, Oct. 24, 2019, Data Amplified 2019 Conference, Shanghai, China (available at https://pcaobus.org/news-events/speeches/speech-detail/preventing-audit-extinction_709).

[32] This may already be occurring. See Reducing Credibility, supra note 9 (“While deleting areas of importance to investors, the remaining items on the agendas overlap with the priorities of an international standard setter. Proposals by other standard setters are important and can be useful sources of input. The focus of the PCAOB, however, must be on the priorities of investors and the public rather than priorities of the other standard setters. In so doing, we will be far more likely to lead, rather than follow, in the global debate on auditing standards.").

[33] See Statement by Chair Duhnke, AICPA Conference, Dec. 7, 2020, at 36:40 (available at https://aicpaconferences.com/aicpa/sessions/60832/view) (‘That month [October] we also held our first virtual investor roundtable with some of the largest asset managers in the US.”). Discussions of engagement at the same conference mostly referred to stakeholders other than investors. See Id. (stating that PCAOB reached out to 700 audit committee chairs in 2019-2020; listed “audience-specific publications” that were addressed at audit committees; and noted “first-ever audit committee webinar”).  

[34] In contrast, SEC roundtables are public. See SEC Webcasts: Roundtables (available at https://www.sec.gov/news/webcasts.htm).

[35] In the past, the full Board often heard these views when attending meetings of the Investor Advisory Group. The IAG has not met since November 2018.

[36] See Louis D. Brandeis, Chapter V: What Publicity Can Do, Other People’s Money (available at https://louisville.edu/law/library/special-collections/the-louis-d.-brandeis-collection/other-peoples-money-chapter-v) (“Sunlight is said to be the best of disinfectants; electric light the most efficient policeman.”).

[37] As I have said before, the public can’t hold the PCAOB accountable for what it doesn’t know. See J. Robert Brown, Jr., Board Member, PCAOB, Grading the PCAOB: Transparency, Accountability and Investor Protection, Conference of the Council of Institutional Investors, Minneapolis, MN (Sept. 17, 2019) (available at https://pcaobus.org/news-events/speeches/speech-detail/grading-the-pcaob-transparency-accountability-and-investor-protection_703). 

[38] The one significant exception was the creation of Part 1B to public inspection reports. In doing so, the PCAOB agreed to make a heightened category of deficiencies public, including failures to adequately communicate with the audit committee. See Seeing Through the Regulatory Looking Glass: PCAOB Inspection Reports, Jul. 23, 2020, J. Robert Brown Jr., Board Member, CFA Institute’s Corporate Disclosure Policy Council and Capital Markets Policy Council, Virtual (available at https://pcaobus.org/news-events/speeches/speech-detail/seeing-through-the-regulatory-looking-glass-pcaob-inspection-reports_724). Of course, even this step forward has the capacity to be neutered. To the extent, for example, that the Board only discloses “material” violations of the communication rules or the rules governing disclosure of critical audit matters, the section may well provide significantly less insightful disclosure.